August 24, 2010

iTunes Users Being Victimized By Ongoing Scam

iTunes users need to be aware of an ongoing scam which attacks their accounts, racking up fraudulent charges on their PayPal and credit card accounts, according to various recent media reports.

IDG News Service, citing the technology blog Tech Crunch and the San Jose Mercury News as sources, notes that the scam dates back to early last year, with victims finding themselves suddenly responsible for hundreds if not thousands of dollars in charges they did not authorize. According to IDG reporter Robert McMillan, however, the number of victims is rising.

BBC News Technology Reporter Maggie Shiels, who covered the ongoing scam in a Tuesday article, listed several examples of victims, ranging from one individual who posted via Twitter that he/she had been "hacked for $1,000 worth of software, videos and music," to another who told Tech Crunch that their PayPal account had been charged more than $4,700. The latter victim stated that he/she "called security at PayPal and was told a large number of iTunes stores accounts were compromised."

Likewise, McMillan quoted a Facebook page from a victim named Layne Harris, who wrote that his iTunes account had been hacked and "someone made about $700 worth of purchases"¦ I contacted Paypal (who was awesome btw, refunded all) and they said Apple has gotten so many attacks since June, they can barely keep up with reporting them all!"

According to McMillan, there are two main ways that scammers are attempting to commit the iTunes fraud. In one, scammers are sending out phishing emails that attempt to trick recipients into revealing their iTunes usernames and passwords, which are then seized and used by the hackers. The other is the sale of falsified gift codes which, according to those providing the codes, have to be used in a certain amount of time. Apple told IDG that legitimate iTunes gift codes do not expire.

Paypal told IDG that all customers were being reimbursed, and a source told McMillan that officials from the online payment service noted that the fraud was "happening on the iTunes side." That spokesperson referred further questions about the happenings to Apple.

In a statement emailed to both IDG and the BBC, the Cupertino, California company said: "iTunes is always working to prevent fraud and enhance password security of all of our users"¦ But if your credit card of iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about cancelling the card and/or issuing a chargeback for any unauthorized transactions. We also recommend that you change your iTunes account password immediately."

"We have been hearing about attacks on iTunes for a while and it seems it is possible to game iTunes and make money," Dan Kaminsky, chief scientist at a security company called Recursion, told Shiels on Tuesday. "I am sure Apple are getting a rapid education in what it means to be a mechanism that fraudsters can use to steal funds, but I don't expect this to be a long term problem or a product threatening one."

Gartner analyst Mike McGuire disagreed, telling BBC News, "If they don't aggressively sort this out, it can undo a lot of brand building and trust as they become this transaction hub for 150 million people's credit cards at last count."